Ensure destruction of OAuth Applications notifies streaming

Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens.
glitch-soc/security/8c76a208ed30cc1bd54262302b2aed27ae142509
Emelia Smith 2023-10-14 21:53:50 +02:00 committed by Claire
parent 27bdd6df17
commit 320faea827
1 changed files with 15 additions and 0 deletions

View File

@ -4,14 +4,29 @@ module ApplicationExtension
extend ActiveSupport::Concern
included do
include Redisable
has_many :created_users, class_name: 'User', foreign_key: 'created_by_application_id', inverse_of: :created_by_application
validates :name, length: { maximum: 60 }
validates :website, url: true, length: { maximum: 2_000 }, if: :website?
validates :redirect_uri, length: { maximum: 2_000 }
# The relationship used between Applications and AccessTokens is using
# dependent: delete_all, which means the ActiveRecord callback in
# AccessTokenExtension is not run, so instead we manually announce to
# streaming that these tokens are being deleted.
before_destroy :push_to_streaming_api, prepend: true
end
def confirmation_redirect_uri
redirect_uri.lines.first.strip
end
def push_to_streaming_api
# TODO: #28793 Combine into a single topic
access_tokens.in_batches.each do |token|
redis.publish("timeline:access_token:#{token.id}", Oj.dump(event: :kill))
end
end
end